21 Million German Bank Accounts For Sale

anerva writes "Black market criminals are offering to sell details on 21 million German bank accounts for €12M ($15.3M), according to an investigative report (German; Google translation) published Saturday. In November reporters for WirtschaftsWoche (Economic Week) had a face-to-face meeting with criminals in a Hamburg hotel, according to the magazine. Posing as buyers working for a gambling business, the journalists were able to strike a price of €0.55 per record, or €12M for all the data. They were given a CD containing the 1.2 million accounts when they asked for assurances that the information they would be buying was legitimate." 21 million is three in four existing German bank accounts.

How to pay...

[LingNoi]

Couldn't you just buy one to begin with and then use that German bank account to buy the rest?

Re:How to pay...

[OrangeTide]

Steal 10 euros from the 1.2million they showed.

Re:How to pay...

[Joebert]

I think it would be much more interesting to setup a program that generates a snowball effect that starts with a dollar in the first account and makes transfers slowly until it's spread through each account in the list, and seeing how far it would get before anyone noticed.

Re:How to pay...

[Ihmhi]

And then we can beat the crap out of the office printer and dance to rap music!

Re:How to pay...

[bigjarom]

Das ist genau das, was ich tun wird. Danke!

Re:How to pay...

[Amazing+Quantum+Man]

PC Load Letter? What the F**K does that mean?

Hmmm...

[RobertM1968]

You'd think they'd have gotten the police involved instead of trying to scoop a story...

Nah, guess not.

Re:Hmmm...

[LingNoi]

The police are too busy raiding game developer buildings with shotguns and listening in on Skype calls.

Re:Hmmm...

That's not their job or function in society.

Re:Hmmm...

[The+MAZZTer]

That's funny, I always thought it was a citizen's (of the USA at least) duty to report crimes to the police if you witness them.

Re:Hmmm...

[thegnu]

Yeah, journalists are sort of exempt, and it allows them to provide the free flow of information without getting a cap in their ass for trying to talk to gangsters.
yeah.

Re:Hmmm...

[afabbro]

That's funny, I always thought it was a citizen's (of the USA at least) duty to report crimes to the police if you witness them.

That would be funny. Fortunately, it's not true, at least in a legal sense. You are under no obligation to report a crime you witness.

Re:Hmmm...

[Ihmhi]

Okay, I know about the Skype thing, but what's this about them raiding a game developer's building?

Re:Hmmm...

[jdrugo]

You'd think they'd have gotten the police involved instead of trying to scoop a story...

From the article:

Wie so viele Kontonummern illegal in Umlauf gelangen konnten, muss in den nächsten Wochen die Staatsanwaltschaft Düsseldorf klären. Die WirtschaftsWoche übergab den Ermittlern am vergangenen Donnerstag die CD mit den 1,2 Millionen Datensätzen und Kontonummern.

which roughly means:

How that many account number reached circulation illegally is to be clarified over the next weeks by the prosecuting authorities of Düsseldorf. Reporters of the WirtschaftsWoche handed the CD with the 1.2 million data sets and account numbers to the investigators last Thursday.

So, they firstly contacted the responsible branch of jurisdiction and after that published the article.

Re:Hmmm...

No, they're referring to this raid on Crytek with the riot police:

http://www.quartertothree.com/game-talk/showthread.php?t=31767

Re:Hmmm...

...um, they did? I didn't RTFA since I'm German anyway and have heard more about this case than I care to know already, but they DID go to the police. Getting a good scoop for your magazine or paper and going to the police aren't mutually exclusive, you know.

Re:Hmmm...

[icebrain]

You are under no obligation to report a crime you witness.

Just like the police are under no obligation to protect you.

And I'm not being sarcastic, either. The courts (including USSC) have consistently ruled that.

Re:Hmmm...

[swillden]

Uhm... no? No such thing as Good Samaritan laws here.

Good Samaritan laws have nothing to do with reporting crime, they're laws that shield those who try to help injured people from civil liability for anything that goes wrong. They're a response to the problem of people refusing to help because they're afraid they'll get sued.

Re:Hmmm...

[jabithew]

I believe there's an entire amendment to your constitution about not having to say a damned thing to the police if you don't want to.

Re:Hmmm...

[Ihmhi]

Thanks for info on both. Very interesting.

Re:Hmmm...

[RobertM1968]

Thanks for the translation, but, that still doesnt change my point... they did not contact the authorities before the meeting. And now that this has made news, unless the "bad guys" dont read the paper, it will probably be that much harder to capture them.

Had the authorities been there and been involved, these criminals would already be behind bars, and their asset/info/computers/whatever would theoretically already be on the way to being seized - instead of the current more likely possibility where the criminals are now in hiding and the info is moved, destroyed, hidden or who knows what?

Re:Hmmm...

[Golddess]

It may not be their job, but who wants to be known as "those reporters" who didn't tell the police about a bunch of criminals who had bank details for 75% of all German bank accounts?

On your marks (no pun intended)

[pin0chet]

In theory, if the banking system were known to be compromised in such a huge way, and there were no way of knowing if your own bank account was compromised or not, shouldn't there be a massive bank run? Because everyone wants to withdraw their money right away to minimize the chance that this ridiculous security leak negatively affects them, right? Such a massive erosion of confidence can completely destroy a banking system.

Re:On your marks (no pun intended)

[OrangeTide]

bank account and routing numbers never was considered secure. the only thing protecting your bank account (weakly) from fraud is a paper trail.

Re:On your marks (no pun intended)

[henni16]

In practice, it will be the banks' problem.
Instead of running to your bank to get your money, you monitor your bank account and dispute/charge back possible fraudulent transactions.

Re:On your marks (no pun intended)

[aussie_a]

Everyone doing that then makes the news. House robberies go up to a ridiculous degree and everyone loses their money.

Re:On your marks (no pun intended)

[aussie_a]

And get it stolen again? Sounds like pretty weak security to me.

Re:On your marks (no pun intended)

[John+Hasler]

> In theory, if the banking system were known to be compromised in such a huge way, and
> there were no way of knowing if your own bank account was compromised or not, shouldn't
> there be a massive bank run?

This is Germany. There will be no bank run until it is properly planned, organized, and regulated.

Re:On your marks (no pun intended)

None of that is truly secret information in the first place. Every business prints its address, bank account number and bank routing number on each of its invoices. When you buy something on eBay, the seller will usually give you his name, address and bank account number and bank routing number: It's the information you need to send him the money.

There is a way of transferring money which is called "Lastschrift" or "Bankeinzug". Basically the recipient tells his bank that the sender has agreed to let the recipient debit a due amount directly from the senders bank account. The bank makes the transaction solely based on that promise. The bank does not require any form of proof that the sender has actually agreed to that transaction. In practice the recipient doesn't even have to get the name right. The transaction will go through even if the named sender doesn't match the bank account number. This seems like a major security problem, doesn't it?

It isn't a big problem because the sender can always reverse the charge. If the charge is reversed in a reasonable time frame (1-2 months), no questions will be asked. Reversing the charge is always free for the "sender", the sender's bank is paid by the recipient's bank for the reversal, which in turn will charge the recipient of the Lastschrift a (hefty) fee. Because of that, the recipient's bank treats amounts gained by "Lastschrift" like credit. You can't just debit someone else's bank account and make off with the money. That's exactly like getting a credit line over the same amount and making off with that.

Let's assume that you count on the carelessness of the people who don't regularly check their bank account transactions. Because the bank will not give you the money right away, unless you have a history of using the Lastschrift-system without problem with them, all it takes to stop the money from reaching you is a few people who do check their account transactions and report the fraudulent transactions to the police, which will then put a hold on the money and investigate you.

Re:On your marks (no pun intended)

[justinlee37]

Or they'll just change their online banking passwords.

Re:On your marks (no pun intended)

[hweimer]

In theory, if the banking system were known to be compromised in such a huge way, and there were no way of knowing if your own bank account was compromised or not, shouldn't there be a massive bank run?

In practice, this isn't much of a problem. Actually, there are two ways to earn money with this. You can commit old-school pen and paper wire transfer fraud, i.e., you fill out forms directing the bank to transfer funds from one account to another. However, there are two problems with that. First, you need to have a valid signature on the form and banks are required to check that (whether they actually do it is the banks' problem). Second, this scales not too well and if you dump 21M forms the bank will surely notice.

The second approach is to setup a fraudulent business and take part in the direct debit program. However, not everyone can participate in this and banks do some background checks. And even if there is a fradulent transfer from your account you can get your money back by a single call to your bank.

So in a nutshell, these methods can only be used to defraud negligent banks, not the customer. Oh, and all this typically doesn't work with saving accounts that hold the real money. That's why there is no reason to withdraw your money.

Re:On your marks (no pun intended)

[stirz]

Hey John,

the German cliché you mention might be true on one hand, but on the other, there are other reasons for the customers to relax and wait for further things to happen. German laws are somewhat consumer-friendly, so that Hans and Franz who eventually got digitally bankrobbed can be sure to get every single Euro back to their bank account - even if they take notice of this fraud after weeks.

By the way, this shows a not-so-famous German cliché: Germans expect governmental protection in many ways and rely on it.

You might have noticed that the European Union has suffered a noticable number of cases in which criminals manipulated ATMs to get access to both debit card data and the customers' security codes (so called "skimming"-fraud). As far as I have read about thoses cases, the banks have been balancing out every loss on their customers' accounts - even without any legal pressure to do so.

Maybe it is quite comforting to live here, in the Old World -- at least for my dear Euros :-)

Regards,

stirz

Gotta love the germans

[sleeponthemic]

Even their criminality is impressively efficient :-)

Re:Gotta love the germans

[ILongForDarkness]

Like all loyal German's they run SAP to optimize the process.

Re:So what

Yah, ho hum. I mean, I bought my first 21 million German bank accounts YEARS AGO. Nothing to see here folks.

Tomorrow's News

[Bentov]

This morning the entire banking system in Germany collapsed due to 3 in 4 Germans transferring money out of the country to banks in neighboring countries....

ohshiza?

[Stormie]

I think the taggers in this story need to learn how to spell "Scheiße"

Re:ohshiza?

[Killjoy_NL]

Nah, the ÃY isn't used that much in germany any more either ;)

Re:ohshiza?

[Killjoy_NL]

heh in cutting and pasting it got killed, I meant that cool character in the word Scheisse :)

Re:ohshiza?

[jlp2097]

He spelled it correct. The Rechtschreibreform did not abolish all Es-Zetts!

Re:ohshiza?

[zigurat667]

i think 'ohscheisse' is pretty ok if you're missing the 'ÃY' on your keyboard

Re:ohshiza?

[gEvil+(beta)]

I believe the correct term for the ß character is "Super B"

Re:ohshiza?

[Killjoy_NL]

For me it's either Beta or "ringel-S" :)

Re:ohshiza?

[gEvil+(beta)]

The Eszett is actually a different character from the Greek Beta.

1.2 million out of 21 million

[txoof]

It is possible that not all of the 21 million work, or are valid. If I were in the criminal's position, I would offer a CD where about 70% were valid. And then when the payment was made, provide a data set that had only a few working accounts and a bunch of garbage.

In any case, it's pretty scary to think that there might that much personal data out there.

Re:1.2 million out of 21 million

[Hoi+Polloi]

Or, release "honey pot" numbers to the criminals. Mix them in with the real ones (they already know that info so you aren't comprimising anything). Anyone who accesses those dummy accounts must be a criminal and can be targeted for investigation.

Re:So what

[henni16]

Who wants a mass list anyway, you can't target spam at people just because they're German and they have a bank account, and stealing that many identities begs the question, "why?"

Yeah, who could have use for the equivalent of 21 million valid direct debit cards.

May I introduce you to rule 36?

[zappepcs]

Rule 36 states:

There will always be even more fucked up shit than what you just saw

Now, I've been saying this all along, but nay sayers think the sky will never fall, and that the government is not out to get them. I've got bad news for you: It will, and they are, and if those two problems are not enough there will always be people willing to steal your stuff. period. no exceptions.

The fact that they have not stolen yours yet is merely an oversight on "their" part. It will happen at some point. Security is myth. Do not trust those that want to protect you. The government will never shield you, only pretend to do so. This is a harbinger of dangers to come, and reason to demand with some vigor that your financial institution be held accountable by law for the protection of your information. Yes, I mean that. If they want to do business with my money, I want guarantees. You should too.

Re:May I introduce you to rule 36?

[Jeff+DeMaagd]

OK, so you're saying that government isn't going to protect us, so the answer is to demand that financial institutions be held accountable to laws passed by a government that you said won't protect us?

Re:May I introduce you to rule 36?

[Cl1mh4224rd]

The government will never shield you, only pretend to do so. This is a harbinger of dangers to come, and reason to demand with some vigor that your financial institution be held accountable by law for the protection of your information.

Bolding mine, to highlight a serious disconnect in the parent's preaching.

You're suggesting that people demand that banks be held accountable to laws enforced by the very government you said won't protect them?

Re:May I introduce you to rule 36?

[The_Wilschon]

Rule W15 states:

There will always be a number less than 1, but greater than the number less than 1 you just saw.

Rule 36 doesn't imply that fuckedupness is unbounded above. Go make another tinfoil suit; they're about to get through this one!

Re:May I introduce you to rule 36?

[poopdeville]

Rule 36 doesn't imply that fuckedupness is unbounded above.

Oh really? I call Rule 34 on Rush Limbaugh, Whoopi Goldberg, a midget, and Steve Buschemi,

Re:May I introduce you to rule 36?

[mfh]

Slashdot: Where comments about Encyclopedia Dramatica can be modded as insightful. This reinforces the rule you mentioned, considering the sheer volume of scary things on that uncylopedia.

Re:May I introduce you to rule 36?

[jabithew]

Wow. This is a new level of Slashdot crazy. Can I borrow your tin foil hat?

Re:May I introduce you to rule 36?

[zappepcs]

Well, feeling a bit dramatic after taking a cold pill, I personally thought my post was funny, but hey maybe it was insightful humor? I'm guessing that the sarcasm of facial expressions did not transfer well with the post?

Re:May I introduce you to rule 36?

[zappepcs]

If history has any lessons for us, it would seem that such stops at the gallows or guillotine.

Ach, oh kein erstes kamen sie fur meine Bankkonten

[Orion+Blastar]

dann kamen sie fur meine Kreditkartennummer- und Provider-Kennworter.

Ich zahlte 10 Euro und aller, den ich erhielt, war Orion Blastar' Konto-LOGON und -kennwort s-Slashdot.

Just kidding, Babelfish doesn't translate it quite right.

Re:So what

[RedWizzard]

Who wants a mass list anyway, you can't target spam at people just because they're German and they have a bank account, and stealing that many identities begs the question, "why?"

Yeah, who could have use for the equivalent of 21 million valid direct debit cards.

How do you propose to obtain the 21 million valid direct debit cards? Ring up the banks and get them to change the address of every account to your address?

Re:So what

[RedWizzard]

Sorry, I missed the "equivalent of". But an account number is not the equivalent of a direct debit card. It's not that easy to withdraw money from an account when all you have is the account number.

Who wants to bet...

[emptycorp]

...they analyzed the bank accounts and the combined total in them is less than $1 million?

Re:Who wants to bet...

[Jesus_666]

You mean there's less than 500 Euros in those 21 million accounts?

21 million is 3/4 of accounts?

[Gothmolly]

Ha Ha! You have a small country !!1!

Re:21 million is 3/4 of accounts?

[quarrel]

I had the same reaction re the number of accounts. It is small.

However, Germany isn't all that small.

So some back of the envelope calcs:

They claim 21/.75 = 28M bank accounts in Germany

It's got roughly 80M people. Assume something like 2.2 people per househould (dunno what it is in Germany), and you get 36M. You gotta figure each household has at least one. I don't know how things really work in Germany, but I assume they're like the rest of the developed world and you essentially can't function without a bank account.

Then there are businesses. Even very small businesses will run several accounts.

I think the 28M bank accounts is just bullshit. It's gotta be heaps higher.

Surely 100M wouldn't be that big a figure even?

--Q

Re:21 million is 3/4 of accounts?

[Flibberdy]

I think the 28M bank accounts is just bullshit. It's gotta be heaps higher.

Surely 100M wouldn't be that big a figure even?

--Q

Perhaps a lot of Germans use the equivalent of UK building societies. They're not counted as Bank accounts but have a lot of the same functionality

Re:21 million is 3/4 of accounts?

The article says 3 in 4 households, not accounts. Take the exaggeration factor of a newspaper into account and it works out.

Re:21 million is 3/4 of accounts?

[MadKeithV]

75% of statistics are made up on the spot anyway.

Re:21 million is 3/4 of accounts?

[Opportunist]

Maybe it's just one single bank? It's not like there's only one in Germany.

Re:21 million is 3/4 of accounts?

[polar+red]

in europe, you're nothing with an account number, you also need the debetcard AND a PIN number.

Re:21 million is 3/4 of accounts?

[Xelios]

Because as TFA says it's "3 out of 4 households" that might be affected, not 3 out of 4 accounts.

Re:21 million is 3/4 of accounts?

[blind+biker]

Yes, probably BS. As you noted, every business, even small ones, have several accounts. Companies that do import/export have yet more accounts.
But futhermore, every employed and even most unemployed citizens have at least one bank account (not only one account per household). I have 4 bank accounts (in 2 separate banks), for instance. Often just to get a loan you open a new bank account - the loan itself is, as far as I could see, a separate bank account.

So I'd say that the figure is closer to 280 million accounts, rather than 28 million.

Re:21 million is 3/4 of accounts?

[quarrel]

Germany. Family of 4: 2 adults and 2 children.

Me and my wife share the same bank account and have separate Maestro Cards to access it. So 1 account / 4 people.

Take that, you insensitive American.

Bite me.

As if I'm an American. You silly northern hemisphere folks and your stupid generalisations ;)

I probably am insensitive, but given how touchy you were, I don't think I needed to mention as being particularly out of the ordinary.

--Q

Exactly

[tomhudson]

But an account number is not the equivalent of a direct debit card. It's not that easy to withdraw money from an account when all you have is the account number.

Every time you write a check, you're giving the recipient your bank address, bank account number ... AND a specimen of your signature. OMG! Quick - millions of people compromised their bank accounts today!

Re:Exactly

[trjonescp]

In 2008, checks are the sort of thing that would be used regularly only in an ass-backward country like the United States.

Re:Exactly

Actually, this is a serious problem. You probably should avoid giving checks to entities you don't trust!

Re:Exactly

[Jesus_666]

I know nobody who uses checks anymore. That's what wire transfers are for. In theory you can order checks from your bank but, well... I haven't seen a real checkbook in at least a decade.

Re:Exactly

[enrevanche]

A wire transfer typically costs $25 outgoing and $12 incoming and you need to know the receiver's bank account # & routing number. I seriously doubt that it is used that much by most people.

You probably mean direct deposit/automated withdrawal. Sometimes, these can be a real pain to cancel once authorized. For a "reputable" vendor, I suppose it is OK, but using a VISA/MC debit card is a lot easier to fix.

Re:Exactly

[Corporate+Troll]

No, he means exactly that. Wire transfers cost nothing in Europe (at least not in my country) and international wire transfers only require you to use an IBAN account number (which are already standard in some countries) and the SWIFT/BIC code. All this information is typically provided on every bill you get.

National transfers, you only need the account number that you with to wire money to. In most countries, the "bank code" is part of the account number. It most certainly is encoded in the IBAN. (Can you tell, that I implemented the IBAN code for a major bank?) IBAN is a wonderful system: a bit reading material

Re:Exactly

[dropadrop]

Wire transfer does not cost anything in Europe. I have a close friend from the US living here, and can't stop wondering at how the way your banks work are so 1980...

Re:Exactly

[svunt]

I manage a team of payment processing staff who do work for superannuation companies, local councils, payroll companies, etc, and we process around 17,000 cheques every evening, which is roughly three metric fucktons. We're one of nine offices in the country, one of many such companies, and I'm in Australia, which has a population of about eighty people, I think. There are lots of cheques, they're just not part of most slashdotters' lives.

Re:Exactly

[KDR_11k]

Checks are no longer guaranteed so noone takes them anymore.

Re:Exactly

[lukas84]

Except international wire transfers.

Like, from Switzerland to Germany. Which costs an 10+ CHF, so that for small amounts of money, sending it by post is cheaper and FASTER (of course more risky, but i was talking about small amounts anyway).

I will never understand why international wire transfers take more than a few minutes, instead they take three days minimum. National wire transfers also take an entire day, for no reason whatsoever. But at least those are free.

Re:Exactly

[RMH101]

Conjecture: you have information on 21M bank accounts. Presumably this includes account number, sort code and possibly other more sensitive information such as date of birth.
You then arrange the stealing/pickpocketing of cards. More likely, you request freshly stolen cards from a specialist. Some of those cards are going to marry up with the information you already hold, and may be enough to leverage funds.
Don't believe criminals are this organised? An example from personal experience. Turns out a machine at my other half's work was compromomised with a keystroke/screenshot recorder infection. First we haerd of it was when all our accounts were cleared out - someone had been organised enough to patiently continue recording "please enter X and Y character of your password" long enough to piece together the full password. They'd then used this on a saturday before a bank holiday to transfer all of our funds into another account at the same bank - this clears instantly and has less restrictions. They had then coordinated with someone in the UK who could provide them with a stolen debit card issued by the same bank, transferred our money into that account, and got a stooge to go into the bank just before it shut on saturday and take all that money out in cash - within hours of initial transfer.

End result? We were cleaned out, some innocent who had their card nicked had their bank account abused, and the criminals got our money in cash, untraceably. 6-8 weeks later, we were refunded but it was a long and unpleasant experience that taught me several things:
1) Don't assume your bank has a coherent identity theft/fraud department. Expect to get bounced around outsourced call centers that don't communicate with each other or the police. Don't expect them to be interested in IP logs or anything else you think might help them catch the hackers, either
2) "Organised crime" isn't just a phrase. They're quite advanced now, even outsourcing the donkeywork on the ground to other organisations
3) Two-factor authentication is a Good Thing with online banking
4) Don't do online banking on someone elses' computer

Re:Exactly

[dunkelfalke]

parent is right, for europe at least. even 15 years ago checks were a major pita for the banks, nowadays they are so seldom used that not every bank cashier knows what they are and what to do with them.

Re:Exactly

[kagebe]

Actually, most wire transfers in Germany don't cost anything, especially low volume ones. Some banks charge a very small fee (may depend on whether you do it online/offline). It's an often used payment for online shops/mail orders or to pay bills - maybe even more often than automated withdrawal.

Re:Exactly

[Sobrique]

Checks are less secure, prone to fraud, and an irritatingly non-portable form factor.

Quite why the US still insists on making electronic funds transfer more laborious than writing out a piece of paper, I still don't know.

Re:Exactly

[Chatterton]

It take 1 or 3 days because they make interests on your money during this time.

Re:Exactly

[Corporate+Troll]

Like, from Switzerland to Germany.

Ah! The example that confirms the rule ;-) Intra-EU, it's free... The other poster is right about the reason why it takes three days, by the way....

Re:Exactly

[umghhh]

It costs only if a transaction involves change of currency but if it is done in Euro the Commission did some serious ass kicking and it is free of charge now, so if you live in Euro area your transfer may be cost free.

I would not laugh of the US banking system, their banks may be old fashion when it comes to ripping of their private customers but when it comes to creating virtual wealth and putting cost of it on others they are the best - after all their misconduct caused pain all over and losses bigger abroad than at home - can you tell the same about banks in any other country?

Re:Exactly

[ArsenneLupin]

A wire transfer typically costs $25 outgoing and $12 incoming

Even Fortis isn't that expensive... Try more something more like â3. And you have the appropriate plan ("Global Club"), you get a number of free wire transfers per quarter.

and you need to know the receiver's bank account # & routing number.

Which surprise most people do. Bank routing numbers (BIC) are published by the banks themselves, and account numbers of people wanting to receive such transfers (shops, charities, admistrations ...) are public too. And if it's family or friends, they can give you their account number easily. Oh, and usually the account number is only enough if you want to put money on an account. If you want to remove money from an account, you'll need something more, such as a password, a signature plus id, etc.

I seriously doubt that it is used that much by most people.

Well, here in Europe, it is used very commonly, for all kinds of things.

Re:Exactly

[Nursie]

You don't use a direct transfer for paying for goods, that's what credit/debit cards are for. You use it for transferring money to friends/family. That was the niche of the cheque book previously.

In the UK, sending money by account number & routing number (sort code) is free and how we usually achieve the above.

Re:Exactly

[the_other_chewey]

A wire transfer typically costs $25 outgoing and $12 incoming and you need to know the receiver's bank account # & routing number. I seriously doubt that it is used that much by most people.

In Germany, in the majority of cases wire transfers are free. This is even so for most of the transfers within the EU.
You will have a hard time to find anyone in Germany who even knows how to fill out a check, let alone have one available.
Most retailers probably won't even know what to do with it any more.

Re:Exactly

[rah1420]

17k cheques = 3 metric fucktons

Wow, that's some heavy paper. That's three ounces avoirdupois per cheque, roughly.

Yes, I have no life.

Re:Exactly

[Random+Walk]

Sure you pay with direct transfer.. at least in Germany. Who needs credit/debit cards if there is a perfectly working wire transfer system, with terminals in almost any shop?

Re:Exactly

[Sir_Lewk]

Trust me, nobody even uses them here.

Re:Exactly

[Nursie]

Wow, OK, never heard of that before. It's a few years since I worked in the payment industry though.

Re:Exactly

[Bugsville]

just the old lady in front of me at the grocery store.

Re:Exactly

[jonbryce]

In Britain, which is probably still the largest cheque using country in Europe, grocery stores stopped accepting cheques about a year ago.

Re:Exactly

[jonbryce]

Yes. I think Iceland wins the prize for that.

Re:Exactly

[Lumpy]

Checks have to be hand processed. Mailed in checks haveto have a Person paid to open it and key it in and then hand carried to a bank.

Yet when I pay electronically on the internet where NO costs in labor are had, I am CHARGED a convience fee for doing so.

Only because of Fradulent tactics by businesses and banks are paper checks still in heavy use. If these companies were not blatently trying to rip me off, I'd pay via online all the time. Instead I send them a paper check that costs them more money to process.

Paying my Gas bill is more expensive online with a bank card payment than me sending them a check or even the bill WITH my bankcard info on it for them to process. I refuse to pay $10.00US convience fee to make their life easier and cheaper.

Re:Exactly

[b0bby]

Yeah, one of the last checks I wrote was for a parking ticket in NYC. I went to pay it online, then saw that they were going to add a $2 fee. I know that they get hit with processing costs, but screw that, they can deal with my check & get their money slower. Having said that, all my bills are done either onto credit card or direct from my checking account, and none of them are trying to make me pay more for making their lives easier.

Re:Exactly

[b0bby]

Checks are such a pain that our bank gave us a check scanner (optical recognition for the amounts, magnetic for account / routing numbers) so we do the processing ourselves. We scan them in through a web connection, then file them away for a month or so before shredding. The bank never touches them, and we never have to go into the branch anymore.

Re:Exactly

[StalinsNotDead]

They're those big checks they hand out to charities or sweepstakes winners.

Re:Exactly

[hesaigo999ca]

I still use cheques to avoid the auto debit thing, where once an organization has access, it is almost impossible to cancel.

Re:Exactly

[Cytotoxic]

Three day transfers are not called wires in the US. They are called ACH transfers. They are free - treated the same as checks, using the same clearing house that checks route through. Wires are instantaneous bank-to-bank transfers - you send the money at 9:47 am and it arrives at 9:47 am, usually costing a ridiculous amount of money, $5-$75 depending on your banking relationships.

Re:Exactly

[VeNoM0619]

That and the fact that encryption is ILLEGAL in Germany... so how else can you store bank records...?

Re:Exactly

[Anachragnome]

"Sometimes, these can be a real pain to cancel once authorized."

Amen. I had to cancel my bank account to do so. I had Verizon accessing it when I told them in WRITING that they were no longer authorized to do so. Their response? Try to access bank account again, then charge me an "insufficient funds" fee when they realized it no longer existed.

I do ALL my bill-paying with paper now. Fuck em if it costs THEM more, the other option was ZERO security on my BANK account.

Re:Exactly

[glimmy]

I work in retail (in America) and checks are used almost exclusively by the elderly, but they use them indiscriminately. I have occasionally had people buy a single greeting card with a check.

Re:Exactly

[dave562]

I used to think that too until I was educated on the subject. Most of the checks are all processed mechanically these days. They have machines that cut the envelopes open and sort the checks and statements. The checks are then scanned and processed electronically. My reason for sending checks in is that I wanted to keep as many people employed as possible. Now granted, opening envelopes and keying in numbers may not be the best job in the world. However at least it was a job. It kind of burst my bubble when I figured out that machines do 99.9% of the check processing these days.

Re:Exactly

[Hijacked+Public]

Not any more they don't. Google "Check 21".

The recipient of a check can present it electronically. In almost all cases the recipient's bank will present it to the writer's bank electronically, and depending on the recipient's size they might present it to their bank electronically. Your paper check might never show up at any bank at all.

Re:Exactly

[jawtheshark]

With a standing order?

Re:Exactly

[jawtheshark]

Where I live (Europe), you contact the bank to cancel the direct debits. It's easy... Next time that organization tries to get the money, they get a nice message it has been cancelled. I have done this on numerous occasions.

Re:Exactly

[jawtheshark]

encryption is ILLEGAL in Germany

Citation needed.... I have as a matter of fact worked with a German product doing encryption before the export limitations of the US were lifted.

Re:Exactly

[Corporate+Troll]

I don't know of 0-day transactions in Europe. But the system as is works, and that's the whole point.

Re:Exactly

[Hatta]

You say that like it's funny, but it's a serious security problem with the way checks are handled. Anyone who catches a glimpse of one of my checks can withdraw as much as they want with no questions asked. This is not a new problem.

Personally, since the banks implemented this flawed scheme, they ought to be responsible for every fraudulent withdrawal. That would make them clean up their act really quick.

Re:Exactly

[Zebano]

It costs me approximately $20 for a box of four books of checks. I also do not have the online convince fee. Ergo, no checks for me.

Re:Exactly

[LM-Els]

Wires are instantaneous bank-to-bank transfers - you send the money at 9:47 am and it arrives at 9:47 am, usually costing a ridiculous amount of money, $5-$75 depending on your banking relationships.

When I send money from my bank account in Europe to someone else who has an account with the same bank, it gets there instantaneously, and still costs nothing. The moment I press Send on my computer screen, they can withdraw it from a cash machine in the street. (from one bank to another it usually takes one day)

Re:Exactly

[hesaigo999ca]

You have obviously never been defrauded by a certain type of transaction pre-authorized, where it is not the cheque, but the authorization that is not able to be canceled. Try setting one up with your hydro, then last minute call the bank to cancel the authorization, they will tell you you have to contact the other party, and they will cancel it. If it is fraud, chances are you will not be able to contact them, then you will have to get your bank to start an investigation, etc,,etc.

Re:Exactly

[VeNoM0619]

Guess I should retract that statement, doing a search I can no longer find a list of countries where encryption was illegal... Maybe for private use. I read it like a year ago.

Re:Exactly

[jawtheshark]

I have done this at numerous times. I fired up the ebanking site they have, wrote an email explaining the situation (internal secured email). That was it. I got a complaint letter from the institution, but that one was filed vertically.

Re:Exactly

[jawtheshark]

The NSA ban has been lifted for ages. There were some countries where it was illegal for private use. France was one of them IIRC. Not Germany, AFAIK.

Re:Exactly

[hesaigo999ca]

You are in europe?
I am in Canada, and in Canada, there seems to be a faulty system in place which
has many people reeling when this sort of thing happens,
if you google it, you will see many people having a problem of
fraud on their banking accounts because their institutions seem to honor
to a fault the commitment from authorized debit.

Re:Exactly

[jawtheshark]

Yes, Europe here.... To authorize an institution, you send a signed paper to the institution, and that institution then sends it to your bank. (That way both the bank and the institution are informed) When you want to cancel it, you send a notice to your bank. The institution will be informed by your bank.

Easy.... and even logical in my eyes...

Re:Exactly

[raphae]

Since this thread went from the topic of checks to bank Überweisungen (German word for bank transfer), I'm surprised no one mentioned TAN numbers. At least with my german bank account, each überweisung required that a valid, unique TAN number be entered. The bank would send a list of fresh numbers every so often on one of those carbon papers where you peel the front side off to reveal the text. The lists would have many dozens of number, far more than the typical account holder would probably need, and whenever the new list arrived all the numbers on the old one would automatically expire.

I guess the equivalent would be requiring a unique number for each check that one wrote, which would probably much more secure than a signature.

The only down side is that it would be an inconvenience if you lose the list of TAN numbers although you could probably just go into a branch or even call to have a new one sent.

I also recall using Überweisungen for eBay purchases, and often wonder to what extent the existence of free bank transfers in the EU has had on eBay and Paypal. I do not know how such transactions would be handled in the case of a transaction dispute. Perhaps the bank would mitigate the dispute much like they do with credit card disputes. Maybe someone else can enlighten on this issue.

Re:So what

[Fluffeh]

If you talk to the Russians, I reckon they would say they "eat 21 million German bank accounts for breakfast". I guess it's only news because it's a western European country.

It's not like getting valid numbers is hard these days though. I mean just google for tons of pages describing it and you can effectively have all the valid numbers you want.

How to use???

[It+doesn't+come+easy]

21 million is a lot of accounts. No one person or group has time to abuse all 21 million accounts in a timely fashion. More likely, one would need to rely on the lackadaisical attitude most people have when it comes to security coupled with a low volume approach to the number of transactions to an external account in order to profit from purchasing all 21 million accounts.

The purchaser would also have to consider just how many accounts would be accessible and for how long. It might not be practical to expect to make significantly more than 12 million euros even with 21 million accounts, since most accounts would probably have low balances or have their passwords, etc., changed rather quickly if the account had a high balance.

So to use this many accounts, one would need to set up a number of new accounts in other banks (a few at a time and more than one so that the number of transactions to a given account would not be too high), then siphon a little bit of money off a few stolen accounts to some of the new accounts, withdraw the money, then close the new accounts almost immediately. The amount withdrawn would need to be random and small enough to escape detection for at least a few days. Anything faster would surely raise suspicion and cause automatic transaction blocking (at least, if the banks have some kind of working fraud prevention), especially since the announcement of the stolen data up for sale. I can also imagine adding a fraud check for a slurry of never-seen-before transactions to new accounts. Wire transfers would be quickest, yet they would also stand out more (since a bunch of new wire transfers from accounts which had never made a wire transfer before would be unusual -- the likely case for most accounts).

The 12 million price tag seems like a number arrived at by the thieves after taking into account the difficulties to be faced in exploiting the 21 million accounts while they are still exploitable. It seems likely that any purchaser would in turn sell them again in smaller blocks (a lot safer that way, relatively speaking).

Wonder if we'll ever find out what eventually happens?

Re:How to use???

[KDR_11k]

I'm not sure that data can actually be used for initiating transactions, just like a list of email addresses won't let you read the emails those receive.

Re:How to use???

[sanosuke001]

foreach( $accounts AS $account )
{
$funds = get_funds($account);
transfer( $funds, $account, $my_account );
}

Re:How to use???

[sanosuke001]

and if you're worried about being found out...

for( $i = 1; $i < 100; $i++ )
{
transfer( $funds, $my_account[$i-1], $my_account[$i] );
}

Re:How to use???

[It+doesn't+come+easy]

However, if the bank watches for some ridiculously large number of transactions to one (or a few) destination accounts then something like this wouldn't work. After all, suddenly seeing 3000 transfers to one account within a few minutes or even hours of each other, especially if the source account has never submitted the transfer before, is suspicious and easy to automatically block for manual verification. The only difficulty would be to manually verify 3000 transactions with each source account owner individually and in person (i.e. not by some quick electronic "click YES to allow this transaction", since that could be automated by the thieves as well).

Seriously, but seriously

This is the scariest headline I've read in a long, long time. If this information allows remote access to the accounts then a concerted group effort could _completely_ destroy most German depository institutions by conducting mass withdrawals.

If German banks have reserve requirements similar to American banks (10%) then they would only have enough capitol to cover 1/6th of the potential withdrawals. Not only would this lead the banks not to have any working capitol (the life-blood of every bank. See: 02008 financial crisis), but would leave nothing left over for uncompromised account holders. Deposit insurance notwithstanding, I'm sure you know what would happen if the general public found out about this.

Organized criminals smart enough to buy 24M bank accounts are probably also smart enough to know this and take advantage of the corresponding extortionary power. I seriously cannot believe we are reading about this. If I was in German law enforcement there's absolutely no way I'd let this story see press. The fact that it was undercover reporters and not cops in that meeting amazes me.

I really, really hope that the cops and banks react more swiftly to this story than the German public. I'm also praying that the mechanism by which this information was stolen is limited to Germany...

Re:Seriously, but seriously

[Zironic]

It would probably take the average bank about 5 seconds to notice someone is doing a mass withdrawal from their accounts and another 5 seconds to reverse it.

Considering banks take an entire business day sometimes more to transfer funds to another bank and you'll realize why the details are sold so cheap, it's HARD to get money out of a bank and even if you did manage to get a sizable money out it would probably be relatively easy to trace and you'd be a high priority target for international agencies.

mmm... that means that ...

[Jerry]

the Linux desktop market share in Germany is only 25%.

Re:mmm... that means that ...

[russlar]

the Linux desktop market share in Germany is only 25%.

What do you mean only? Where I come from, 25% is pretty damn good!

Re:mmm... that means that ...

[xous]

It's a play on the three in four accounts compromised.
Accounts not compromised: 1 in 4
1/4 = 25%
He is implying that they were compromised because they were running something that was not Linux.

Re:mmm... that means that ...

[Asic+Eng]

This article has really nothing to do with computer security. It's not account logins which are on the CDs in question - it's merely account numbers and names. So with this information you can not log into someone's bank account. However you could request direct debit from that person's account into your account. If that person objects later, then the transaction is canceled.

So if you want to use this information to get money you need to setup an account (which creates a significant paper trail - including passport or ID numbers) and make sure you withdraw the money before the bank catches up with you.

One possibility to make money with this is to withdraw only very small amounts, and hope the victim doesn't even bother to check the small charge.

Re:So what

[joocemann]

lmao.

buying bank accounts in bulk is soo..... 2007...

Re:So what

[henni16]

You have to keep in mind the differences between countries.
In Germany, the most popular way to order stuff online is to give your bank account number to the merchant who will then charge your account.
It works just like a credit card number and stores rarely check if the number (account) really belongs to the person that's making the order.

The only time I have encountered such a check was with Paypal:
they do two small test transactions (just Cents) and you have to ..I actually don't remember right now..either enter the correct amounts into a form on Paypal's site or to send the cents back to prove that you really have access to that account.

Re:21 million accounts on the wall

[actionbastard]

That's 20 (twenty) million and nine hundred ninety nine thousand and ninety nine accounts, douchebag.

Re:Tomorrow's News

[John+Hasler]

...Such as Iceland?

Re:So what

Nice combo-post there. You start with a subtle misunderstanding of the topic, move to a non-sequitur, then finish with a classic "begs the question" dismount.

Re:So what

[RedWizzard]

You have to keep in mind the differences between countries. In Germany, the most popular way to order stuff online is to give your bank account number to the merchant who will then charge your account. It works just like a credit card number and stores rarely check if the number (account) really belongs to the person that's making the order.

So what protection do you have if a merchant charges incorrectly? If bank account numbers can be used like credit card numbers then bank accounts should have the same sort of fraud protection as credit cards.

I want to believe

[gblackwo]

Just adding my bit to the spirit of your post if I may: I want to believe

I did it last week

[ZiggyM]

I live in Lima Peru. Last week a teller at my bank made me wait 10 minutes while she waited for the safe to open to give me some cash. In the meantime I went to a computer terminal without a keyboard, and access to only a webpage with the bank rates (windows, no start menu, no access to desktop etc). The machine was supposedly locked so that you couldnt navigate away or do anything except scroll the page and click a few links. Well, they forgot do disable right-click. 7 steps later I was able to access their internal network, and had access to a lot of internal information on individual machines. I went to the branch manager and showed him. He was surprised and embarassed, and took note of the steps I took. It was amazing how easy was to do it. The 7 steps were clever, but not impossible.

Re:I did it last week

[Anpheus]

It's probably a lot easier with Internet Explorer, because typing C:\ takes you... guess where?

And if they have some trivial block on using that path mapping, you can always just do \\127.0.0.1\C$

Re:I did it last week

[Rod+Beauvex]

In America, that gets you in *big* trouble.

Re:I did it last week

[DirePickle]

It does the same thing in Firefox.

Re:I did it last week

[MaskedSlacker]

If you lived in the US, you would be sitting in a jail cell right now facing felony charges FYI. Never help anyone with their computer in the US. It's not worth it.

Re:I did it last week

[svunt]

Read the parent, no keyboard...I guess you could copy and paste each letter you needed from the webpages available, but that needs right-click too, so you're no better off.

Re:I did it last week

[karmatic]

If you lived in the US, you would be sitting in a jail cell right now facing felony charges FYI. Never help anyone with their computer in the US. It's not worth it.

Eh, that's not always true.

I was stuck in a Wells Fargo branch for a bit 3-4 years ago, and their kiosks would only go to wellsfargo.com. Being the enterprising person that I am, I immediately typed the HTML for a hyperlink into the search box, it worked just fine.

When I got home, I whipped up a quick Proof of Concept that abused JavaScript to do some nasty things (Cross Site Scripting attack). I contacted Wells Fargo, gave them the details (as well as how to fix it) - it was fixed in a couple days, and they called and said "thanks".

I was careful to keep it proof of concept - tested only against my own account. I also phrased it carefully - "An unscrupulous attacker could...", rather than "I could...". Furthermore, I pointed out that as a Wells Fargo customer, it is in my best interest that the environment be as secure as possible - it's my money too. When you look like a threat, they treat you like one. When you look like a concerned customer protecting your (and their) interests, there is little incentive to silence or harass you.

Re:I did it last week

[RMH101]

Start...Programs...Accessories...Accessibility...On Screen Keyboard

C'mon people, this and the "right-click in a file open/file save dialogue box to get access to explorer" is known to anyone who's ever wanted to open their MySpace profile from a school PC. Very, very shoddy on the Bank's behalf and probably opens them up to stiff penalties under local financial regulatory laws

Re:I did it last week

[donatzsky]

Actually no. There's a "Go" button next to the address field. And if it's not there you just have to right-click the toolbar to get it back.

Re:I did it last week

[Extremus]

You, for instance:

http://en.wikipedia.org/wiki/Image:Foreign_Holders_of_United_States_Treasury_Securities-percent_share.gif

Supposing you are American, of course.


*OK. This is not totally accurate...

Re:I did it last week

[ZiggyM]

Maybe you should read my comment again. THERE WAS NO KEYBOARD.... also the whole drive was locked by administrative permissions.

Re:I did it last week

[ZiggyM]

Ok, I didnt want to make my post too long, but, there was nowhere to paste to. The webpage was in fullscreen mode without address bar, and you couldnt get out of it.

Re:I did it last week

[ZiggyM]

Ok,I didnt think people would reply to my comment, so Ill explain some of the steps. The whole machine was locked with administrative rights, the was no address bar or keyboard, and the webpage was in fullscreen. I right-clicked and most was disabled, but "Print" was enabled. In the print dialog, you couldnt do much, but one of the tabs had "print to file". When it asked me to select a file location, some administrative right would not allow me to select anything in the "browse" dialog. At that point, the start menu appeared because the browser left full-screen mode (Im sure an IE bug), but it was empty. You could, however, right-click it, and a "scan for viruses" option was available. Selecting it took me to another dialog where most actions got an error from administrative rights. But one tab had an "exceptions" button. Playing arround with the options, I finally got to another "browse" dialog, and this one had the "network" shortcut on the left pane of the browse (windows vista). Bingo. I could navigate the entire network down to individual files on individual machines. Their network was huge, it had hundreds of domains. Ive left some steps out in case a fello[w/n] peruvian reads this, though probably they already fixed it. Its the largest bank in Peru. The fact that the start menu was empty, and that I got several errors along the way regarding administrative rights means that someone took the time to try to lock it down pretty hard, except they forgot or never thought that the right-click could eventually give me access to important stuff.

R We "Waggin The Dog" Here??

[realperseus]

Seriously, is this story a plant to "shove" the German banking system into the same "tornado" that the English, Irish, Americans, etc.. have been experiencing lately? Seriously.. have not the Germans been hanging onto their economy (by a thread I may add) while other EU countries have spiraled? I smell a "fish".. . Get German citizens to withdraw their money from banks and cause yet another country to collapse.. .

Re:at work

[dakameleon]

Yep, AC hits the nail on the head here... if 21 million is allegedly 3 in 4 German bank accounts, then there's only 28 million accounts in Germany and the remaining 82,369,552 Germans (minus the 14% under 15, say) obviously keep their cash in their mattresses.

Re:So what

[trampel]

You can reverse the charge within a 6-8 week timeframe with no questions asked, which then puts the burden on the merchant to prove that the charge was legit.

Hmm...

[sootman]

21 million is three in four existing German bank accounts.

I have for sale EVERY VISA NUMBER EVER ISSUED! From 4000 0000 0000 0000 to 4999 9999 9999 9999! (Note: some numbers may not be valid.)

I will sell them for US $1,000,000 MILLIONS US DOLLARS. Contact me via this website.

Act now and I'll throw in every Master Card ever issued. (5000 0000 0000 0000 to 5999 9999 9999 9999) (Same disclaimer as above.) And no identity thief would be complete without a REAL SOCIAL SECURITY NUMBER to go with it, eh? Guess what? That's right--I'VE GOT THEM ALL TOO! (001-01-0001 to 999-99-9999)

Re:Hmm...

[Steve+Baker]

I loath your type, you fiend. But even I have to admit, your leet skills cannot be denied. I sit in awe of your abilities and mastery over our pathetically insecure base 10 numbering system.

Re:So what

[spoco2]

Seriously? That's a bit backwards.

In Australia you give someone your BSB (bank identifier) and your account number, and all they can do with that is put money INTO your account.

Therefor the worst someone can do with a whole host of these is to go on a mass donation binge.

Re:This is scary.

Need an automatic screenshot taker? Try here. [16software.com]

Is your PrntScrn key broken?

Reporters?

[PPH]

In November reporters ... had a face-to-face meeting with criminals

So, where were the cops? How do you say "Denny's" in German?

Seriously, most of our local police force is working undercover at the local titty club, buying lap dances.

Re:So what

[EvilIdler]

Wow, that's so behind. In Norway, there's no way to charge an account without full ID. This means either approving a direct debit by showing up at the bank with your picture ID, or logging on through the (relatively) secure website.

Just allowing anyone to put a charge on a bank account number like that opens up for all sorts of abuse. Tiny transactions can go unnoticed for a long time.

Of course, debit cards in stores aren't really any safer. Nobody has ever checked the signature on one while I've used them. A signature is required when the system for some reason can't contact the bank and verify the PIN. I've used other people's cards just fine (with permission, of course, but the banks might find me signing my name a bit funky ;).

Anything but cash is broken, obviously :(

Re:So what

[scubamage]

Plus, in Norway there were Vikings. And Vikings rank only slightly behind Pirates and Ninjas on the Cool-O-Meter (tm, patent pending).

Re:Linux?

[cyphercell]

Dude, I don't think Microsoft would stoop that low? Really?

Re:So what

[TCM]

In Germany, the most popular way to order stuff online is to give your bank account number to the merchant who will then charge your account.

You must be pulling that out of your ass.

The vast majority of online stores want to be paid in advance or with pay-on-delivery. Stores charging your bank account are really the minority.

Re:So what

[ModernGeek]

PayPal normally makes two deposits into your account for a few cents, and you then report to paypal how many cents were deposited so that you can verify you are the account holder. I think slashdot found a solution to the age old four step profit formula:

Step 1: Open a PayPal Account
Step 2: Verify Account Information
Step 3: Repeat Step 2 Many Times
Step 4: Profit!

Re:So what

[Jesus_666]

Actually, not all merchants offer this and I'd only give an Einzugsermächtigung (direct debit authorization) to a company I trust to not abuse it, like one of the big tradidtional mail-order companies. I know I can issue chargebacks but still.

The default mode of operations for smaller mail-order/online-order companies is advance payment through wire transfer (or sometimes PayPal) or payment-on-delivery. Advance payment is what I usually use; it doesn't grant random companies access to my account and doesn't cost me any money, unlike payment-on-delivery.

I have a credit card but that is only for international orders where a CC works better than the alternatives.

Steve Jackson Games raid?

[SethJohnson]

Perhaps the GP is referring to the Steve Jackson Games raid that took place here in Austin, TX back in the eighties.

Seth

Re:Steve Jackson Games raid?

[KDR_11k]

I think he was talking about CryTek, that emo company that starts to whine and threatens to cut itself every time someone talks about violent videogames.

Re:Linux?

[Jesus_666]

Yes, we switched to Linux. All of us. We can tell because all Germans share a hive mind. That's also why we all use the same bank account (plus 20,999,999 business accounts).

6 weeks reversal

[krischik]

As trampel pointed out: you have a 6 weeks reveal time frame. What trampel missed is: A real fraudster will have moved the money onwards by then. Which puts the loss to the bank.

Of course: As with riding without a ticket in the end we the honest customers will pay through higher bank/ticket changes.

Re:6 weeks reversal

[Opportunist]

Hehehe, you think? You really think a abank would swallow a loss?

Nope.

You have a 6 weeks time frame to ask for a reversal. The bank will try to do it. If they can (because the one who'd suffer the loss of it is another simple person or a small business), you'll get your money back and the person that got the transfer has to deal with the loss.

If they can't, because it's some other bank or because the business would be able to fight it, they ponder what's more hassle: Duking it out with you or with them.

Now guess who's less likely to be able to mount a lengthy legal battle, you or the other bank.

Re:6 weeks reversal

[xaxa]

If they can't, because it's some other bank or because the business would be able to fight it, they ponder what's more hassle: Duking it out with you or with them.

Now guess who's less likely to be able to mount a lengthy legal battle, you or the other bank.

I'm British, but Germany is similar.

We have consumer protection laws that prevent that kind of thing. And also a legal system that isn't quite so in favour of big businesses.

Re:6 weeks reversal

[jlp2097]

Ah, the smell of no clue in the morning. As this is a not too uncommon scenario in germany there is basically no bank which does not immediately give you the money back.

Re:6 weeks reversal

[Opportunist]

Consumer protection is rather toothless when it comes to banks. I've been working there and have seen things you wouldn't consider possible in any other area. Not even software development.

Also, banks usually live by the creed of "cheekiness wins". They'll smile at you and tell you to go to hell, knowing well that they're required by law to do it, also knowing that few people know the laws and would dare to stand up against an organisation that wields more money and power than dear God himself.

Re:6 weeks reversal

[Opportunist]

Well, I'm not German, but not far away either, and I'd be surprised if it was any other way there. Yes, usually you get your money back if they know for sure they get it back as well. When dealing with foreign transfers, you might be in for a surprise.

Also, read the fine print. You get your money back, but they reserve the right to reverse that if they run into troubles getting it back themselves.

Re:6 weeks reversal

[LordVader717]

This is getting complicated now, but there are different methods of debiting an account. The method which was referred to further up, in which you need only give the name and bank number is a system which will only work for german banks, so no foreign transfers. To qualify to use this service to charge customers, you need to be a registered business and fulfill certain requirements. Generally the system is considered quite safe.

The source is government

[erroneus]

I would find it to be completely unsurprising to find that the source of this information is someone within the German government, an employee, had collected and made available to criminals this information. It would seem an information pool this large could only come from such a source. Other data compromises, in my view, would seem individually unlikely to product a rate as high as 75% of all.

If I am right in this guess, it would show a strong reason why any government should not be collecting this kind of data on people. Not only is it a certainty that government itself would abuse the information, but employees with access to it would be tempted to abuse it. The government extracts far more trust of its people than it is deserving.

Re:The source is government

[Dunbal]

It would seem an information pool this large could only come from such a source.

      Why? Your argument has a flaw. It doesn't ONLY have to come from a "government source". If I know how to hack ONE bank account, what is stopping me from hacking EVERY bank account that is "protected" by the exact same security scheme?

      Conversely, with the Windows near "monoculture", if I know how to hack ONE computer using a specific OS/browser, what is stopping me from hacking ALL computers using that OS/browser?

      It doesn't have to be a "government employee" at all. Just a few banks using the same "security" system and/or clients using the same programs with the same flaw. Once you have the master key, there's no limit to the doors you can open in the building.

It's not just numbers, ya know!

[cpghost]

I have for sale EVERY VISA NUMBER EVER ISSUED! From 4000 0000 0000 0000 to 4999 9999 9999 9999! (Note: some numbers may not be valid.)

Well, do you also have the personal data belonging to those VISA numbers? Like, say, owner, expiration date, etc? Because that's what this 21M bank account list is all about: it contains not just account numbers, but also all associated identifying data (names, addresses, dates of birth, in some cases even a balance).

Armed with that, criminals can easily charge those accounts and EVERYONE in Germany MUST now check their accounts at least every 6 weeks and issue reverse-charges if they discovered fraudulent activity. And that's not always obvious, because criminals can charge small amounts and label them rather innocuously, so they could go undetected (or rather: unnoticed) for longer than mere 6 weeks.

Re:It's not just numbers, ya know!

[polar+red]

Armed with that, criminals can easily charge those accounts

no they can't, they need a PIN (personal identification number). you can't just take money from an account.

Re:It's not just numbers, ya know!

[egr]

He said charge, not take. On some webshops you don't have to enter pin number, all you need is address, name, birth date, account number, expiration data and security number. 4/5 are printed on the card (everything except address).

Re:It's not just numbers, ya know!

[the_other_chewey]

Armed with that, criminals can easily charge those accounts and EVERYONE in Germany MUST now check their accounts at least every 6 weeks and issue reverse-charges if they discovered fraudulent activity.

No. Charges without an "Einzugsermächtigung" (a permission by the account holder to the charging entity to do such charges)
can be reversed indefinitely. Some banks like to hide this fact from their customers, but every single case that went
to court was won by the customer, and most of the time it is enough to insist on that fact.

Re:So what

[aetherworld]

Um. Yes it is. I can go to any branch of my local bank any time, tell them my name and account number and withdraw up to EUR 5000,-- with just a signature.

Re:So what

[Killjoy_NL]

Bank: Deutsches Bundesbank, good morning, how may I help you?
You: Yes good morning. I'd like to order some debit cards for some accounts of mine. I hope you have your coffee, this is gonna take a while. :D

Re:So what

[sinserve]

Yeah, my Stolen Identity server offers and xml-rpc service and has a twitter account I happen to follow.

Here's how the fraud system works

[Opportunist]

You need a bit more than just the account info. You also need a sucker, having the qualities of stupid, gullible and greedy.

You get that account info. Next, you send out spam asking for people who want to earn a load of money for little, easy work. You are allegedly a big, international company that doesn't have a local office and wants to avoid the horrible local fees they impose on foreign companies (that bastard government wanting to rip you off, ya know?) when they open an account there, so you want to give that person, say, 20% of the transfered amount. Yeah, paying someone 20% of 10k is cheaper than whatever some government charges foreign companies for having an account... I didn't say it makes sense, ok? I said you need someone who is stupid, gullible and greedy.

When you found your sucker, you use that system to transfer money from the account that you know of to the sucker's account, and inform him that he has to immediately take the money (he may keep his 20%, of course) and send it to you through a way that cannot be reversed. Say, Western Union.

What happens next is that the person whose account you used for the transfer will notice a serious amount of money is missing and has his bank reverse that transaction. His bank will do that, no questions asked.

And the sucker's down 10k (minus the 20% he may keep, of course), because Western Union will at best laugh at him when he wants his money back.

Re:So what

[KDR_11k]

Don't you have to use a manual transfer first before you can establish direct debit? I think most stores are like that.

Now how can this be used

[Opportunist]

Since more than one person asked what you could do with this information, allow me to tell you a few things how the system works here in Europe.

The first possible use I have detailed above, you find some gullible fool, transfer money to him, have him forward money through WU or some other company that doesn't allow reversals and you get money.

If you need more privileges to the account, call their 24 hours service. They will ask you to identify yourself, and for this you need your account number and your name, and since you have forgotten your supersecret phrase, they will ask you for details about your account that only you usually can know, like your balance or the person responsible for you at your bank (every account here has its "personal account assistant", i.e. some person working at the bank responsible for pushing products at you). This allows you to request things mailed to your address (or change your address while you're at it), to get, say, online banking credentials, bank cards (for withdrawal), PIN numbers, replacement Credit cards and so on.

Given a recent demand from the European Union that made our formerly rather secure mailboxes (the snail mail ones) pretty insecure (to enable various hardcopy spammers to dump their junk into our mail), it's trivial to intercept the letters containing that, since they're sent out as standard mail (no signatures necessary).

Of course you can also bypass that and use phone banking, the only risk is that you're actually dealing with a real person which might (just might, they're quite underpaid and thus incredibly motivated to think past what they're paid for) just smell a fish. Or phish, for that matter.

Re:So what

[pisto_grih]

If you talk to the Russians...

So you could say, "In Soviet Russia, 21 million German bank accounts buy You!"

Re:So what

[cyxxon]

Yeah, well, except that with advance payment you (usually) have no way at all to get your money back in case of fraud. Both CC and Lastschrift (the "give the retailer your account details" thing) is much safer (yes, I am German) than simply wiring some money and hoping the goods are delivered some day... Going to the bank and telling them you want some money charged back where you yourself initiated the exchange (Überweisung) is always an exercise in fun, and if you even find a bank employee who knows it is possible and legal, you have only a 14 days window instead of 6 weeks with CC and Lastschrift. If the retailer initiated the transaction it should more or less work like with your CC institution - talk to them about it, and it should get charged back right away.

And goddamit, Slashdot, it really is 2008, get your Unicode fixed, for crying out loud.

Re:So what

[freedom_india]

??? WTF? A bank allows ANYONE to debit from your account WITHOUT any authorisation?

Re:So what

[ben0207]

I live in Germany. It really is like that here. Some shops (Beate Uhse is one I can name off the top of my head) even give you 14 days to transfer the money.

I just bought a new MacBook from Apple.de using Bank Transfer. Took a day or two longer, but I'm typing it on it now :)

Re:So what

[bickerdyke]

You know that there is no need of proof of that authorization? (Thats exactly the difference between EinzugsermÃchtigung and Abbuchungsauftrag)

All it takes is a single signature (on the side of the merchants bank) stating that he wont ever withdraw money from someone elses account without permission. It's up to the merchant how he obtains said permission. OTOH it's up to him to show evidence of that permission if (and only if) he's dragged in front of a court.

Re:So what

[MPolo]

Yep. That is essentially the system. It is your responsibility to check each month that the charges that were made were in fact authorized. As I understand, they are very good about chargebacks (suprisingly), though I have never had to actually do this. I have used this method of payment primarily with Amazon and with airlines, but it's very often an option. Germans don't particularly like credit cards (partly because German banks don't really "get" them -- most "credit" cards actually automatically suck the full amount of the bill out of your account on the due date... which means you're not worried about exhorbitant interest rates, but you're only barely buying on credit. It's actually more of a delayed debit card.)

Re:So what

Actually, its fairly safe, you can request the bank to return any money taken from your account this way, and then the onus is on the retailer to prove you recieved the goods they charged you for.

Re:Online purchases usually require TAN codes

[bickerdyke]

Thats only used for money transfers initiated by the costumer. And as there is proof that it was indeed the account owner transfering the funds (he used his secret TAN&PIN) those transfers are really hard to reverse.

It's the other way round with those Lastschriften (direct debit) easy to initiate by anyone, easy to reverse by the account holder.

Re:So what

[skolima]

Strange, in Poland Paypal withdraws money from your credit card to verify that you are indeed the holder...

bullshit

[Tom]

21 million is three in four existing German bank accounts.

Errr.... no?

Germany has about 80 mio. people living in it. Almost everyone who is not a small child has a bank account here. Most kids are given one by their parents somewhere around age 6-10 (depending on the parents) for savings. A lot of people have more than one bank account. One in four sounds more like it.

And that's just private accounts. I can't even guess at the number of bank accounts that companies have.

Re:So what

No, it's very common in Germany since credit cards are actually pretty uncommon (people can pay with debit cards in stores and you can get cash in forgein countires with German debit cards at Maestro-enabled ATMs).
And debit cards don't have a particular key-card number so these don't work for such transactions.

Furthermore, the payment from the account is actually pretty risk-free. You have several weeks to issue a "charge-back" with no conditions or costs attachted. The transaction fees for these charge-backs usually go with the store which issued the transaction in first place. So as long as you check your account regularily you are pretty much safe.

Groan - you didn't recognise the joke

[cheros]

Have a look here to get an idea of what he's suggesting: [http://shafee.net/blog/?page_id=295]

All you need to do is to generate the numbers and then throw out the ones that fail the checksum and viola, you have a list of valid numbers. What you don't have is the details to go with it, which is why it's a joke.

Having said that, CC security IS a bit of a joke. I know of a *perfectly* safe CC that goes beyond the "card present" requirement for security and does not need a secure terminal infrastructure because the card itself is safe. And it doesn't need installation (i.e. it doesn't matter if the system used for transmission is edge-to-edge infested with every trojan and MITM attack known to man), nor does it have postal theft risk as it does not need pre-customisation like an "ordinary" CC does.

It does, however, still need some time to be distributed so I don't expect that thing to make a dent in CC fraud until well into 2010. If VISA and Mastercard accept it to start with..

Re:Groan - you didn't recognise the joke

[swillden]

I'm aware of a number of up-and-coming CC security technologies, which may someday be implemented, but none which exactly fit your claims. To what are you referring?

Re:Groan - you didn't recognise the joke

[cheros]

http://news.bbc.co.uk/2/hi/programmes/click_online/7711698.stm ought to get you going ..

Re:Groan - you didn't recognise the joke

[Thaelon]

Biometrics are foolish.

Today, if someone gets your credit card information, they can make charges in your name. To resolve this, you inform your credit card company that someone is fraudulently using you card. Typically they'll just nix the charges and issue you a new card with a new number.

Throw in biometrics:
Someone gets your biometric information, they can make charges in your name. To resolve this, you inform your biometric-enhanced credit card company company that someone is fraudulently using you biometric information. They just nix the charges and issue you new...fingerprints?

So biometrics do go a long way toward fraud prevention. However, if it actually does occur, you're utterly and permanently fucked.

Re:Groan - you didn't recognise the joke

[swillden]

http://news.bbc.co.uk/2/hi/programmes/click_online/7711698.stm ought to get you going ..

A vague, high-level article about the wonders of biometrics, written by someone who has never worked with them?

Sorry, nope. I've deployed several real-world biometric systems, as well as solutions using many other authentication technologies, and none of them are the silver bullet that you described. Biometrics in particular have many limitations, including the revocation difficulties the other poster mentioned, issues with replayability and spoofing, not to mention inaccuracy (with associated birthday problem issues), lack of universality (for any biometic, there exist people who either don't have it or have an unusable version of it), and many other issues.

That's not to say that biometrics are useless. Far from it. Applied in the right way, they're a valuable security tool, but the system must be carefully tailored to play to their strengths and mitigate their weaknesses, while being practical, inexpensive and offering adequate fallback options. This is fairly easy in small-scale, closed systems, but the correct application for large-scale systems like credit card payment is far from obvious. The "Pay by Touch" system that was recently shut down was a reasonable approach, but was unsuccessful for a variety of reasons. The XCard system now being developed by a consortium of credit unions is very promising, but relies on rather optimistic assumptions about the future capability of technologies. Meanwhile, the venerable EMV "chip and PIN" solution is relatively insecure, but has been very successful at eliminating fraud.

Personally, I think the best option is NFC technology. Mobile phones have processors, power supplies, displays and, with NFC, a secure CPU with a short-range RF connection to a reader. Authentication can be done using the keypad (password), or a fingerprint scanner can be embedded. Put all those pieces together in the right way -- which is non-obvious, but doable -- and you have what I think is a solution that is workable on a large scale.

Of course, I could be wrong. There could very well be reasons that NFC won't work either. These things are much harder than they appear.

Re:Groan - you didn't recognise the joke

[cheros]

The article is vague because a journalist has 100 words to describe a 1000 word concept, and as far as I can see it's "sponsored" by a party that hasn't done the thinking (notice that nobody of the hardware supplier speaks in this piece), and the specific supplier is only now starting to go to market. I have a background in security in various guises and have come across this product in my work - I suggest you keep an eye on them (and pray they put some more decent explanations on their website - at present it's clearly a startup and their public docs, well, basically suck). There's a lot going on behind the scenes AFAIK, and it's Swiss. They tend to be almost neurotic about doing things right :-).

Anyway, NFC. I am uncomfortable with NFC because it's a transmission, that invariably means a hard to control electronic footprint of unknown size (the main reason I dislike the EU RFID passport spec as well - no shielding). I've had various people try to talk me into NFC, but I grew up with electronics and radio transmissions, and I have seen enough of early and later Tempest work to be exceptionally wary of broadcast (I don't use WiFi, Bluetooth or wireless keyboards either). It depends on how much money you want to spend how far away you can access such facilities, and I prefer not to find out the hard way that someone has just improved the range by using, for instance, a better antenna. We've already done this with RFID.

Having said that, maybe you could combine an access mechanism with NFC (and RFID for that matter, I think that's in the spec) so that it won't broadcast until it has your permission. But that partly removes the benefits, I guess.

You're right, though - this stuff is much harder than appears at first glance. There are a lot of variables to manage..

Re:So what

What do you mean behind?
Pirates took inspiration from Vikings. Actually, pirates is just a veak imitiation without a real hat

Re:So what

[umghhh]

In Germany you can. It is enough to give the shop 'your' bank account and they will withdraw. The actual owner has of course a chance of making the transaction void. Whether that is easy to abuse on a mass scale I am not sure.

nevertheless in Germany privacy and law is not taken that seriously by the state especially if it associated with filling up the state's coffers so I guess that is desired development here.

Re:So what

Pfft. We recently moved to Norway. The envelope of letter that my gf can now fetch the card from the bank was not closed. Additionally, she did no have to show her ID/passport when fetching the card.
I suppose Germans are way more sensitive and bureaucratic ;)

"Three in four" - nope

[the_other_chewey]

21 million is three in four existing German bank accounts.

Certainly not. Germany has over 80 million inhabitants, and it is very common even for
"ordinary people" to have more than one account. And that's not counting all the corporate accounts,
small businesses with accounts at every local bank, etc.

Of course, this doesn't mean there isn't a problem. It is estimated that the data of more than 80% of
german bank accounts can be pruchased on the black market. But this would be way over a hundred million accounts.

Re:So what

[the_other_chewey]

Wow, that's so behind. In Norway, there's no way to charge an account without full ID.

Yes there is. I've been quite scared to learn that it is possible to charge my account using my Maestro card
without its PIN code in Norway. I've been asked "Do you have a PIN code for that card?" regularly when
paying with it all over Norway - apparently, it is quite common for norwegians to have cards without them. In
such a case, the store clerk is supposed to check the ID. Guess how good or how reliably this works, especially
with foreign IDs...

Sting Operation?

[psnyder]

Sounds like a story the government could feed the press in order to catch people. Similar to government run websites that look like terrorist or kiddy porn sites.

Maybe, maybe not

Re:So what

[the_other_chewey]

??? WTF? A bank allows ANYONE to debit from your account WITHOUT any authorisation?

No. At least not in theory. The person/corporation/entity charging yout account has to get your permission
to do that first (called "Einzugsermächtigung"). Then, everyone wanting to do such charging has to get it approved
with their bank, which is not completely automatic - non-commercial entities need a very good reason to be
allowed to do that.

However, the existence of such an "Einzugsermächtigung" is not checked by the banks, so if you claim to have one, the default is
to believe you. But this also means that if such a charge happens without one, it can be reversed indefinitely. Banks like to
tell teir custemers that there is a six week limit on this, but this is only valid for charge reversals on charges that were done by
someone actually having the account holder's permission.

The whole system works surprisingly well.

Re:So what

[qmaqdk]

Oh, yeah. The difference between Vikings and Pirates can't be more than a few megafonzies.

Re:So what

[jabithew]

"Hi, me and my friends want to buy this aircraft carrier. Can we split the check evenly over 21 million debit cards?"

Re:So what

[jabithew]

Cash theft is a significantly more proven technology than any of these other methods.

Re:So what

[Random+Walk]

I don't think it's that Germans don't "get" them.. it's more that they were invented to circumvent the 17th century backwardness of the US banking system. There wasn't ever any need for them in Germany, and the high charges (for the merchants) are not suited to make them popular if better solutions exist.

Note that you can overdraw your account anyway, so there is no need for the "credit" functionality either.. and since the account is balanced by the next payment from your employer, you are on average less due than with a separate "credit" account of your card.

Send me a dollar please

[Troy+from+Montana]

Think would bother you if you only stole $1 from every account once a month?

Re:So what

[partenon]

Just allowing anyone to put a charge on a bank account number like that opens up for all sorts of abuse. Tiny transactions can go unnoticed for a long time.

I cannot see how it differs from credit card. In Brazil, only companies can charge to your credit card. That means, the company must exist as legal entity.

So, why would it be different with your bank account? It is all about your money, right?

Re:So what

[TheLink]

Most of those Vikings went to England and became ancestors of those skinheads that like bashing people up for fun.

Those that stayed in Norway (and the rest of Scandinavia) were the far more peaceful folk who didn't feel like travelling to other countries to bash people's heads in. :)

Re:So what

[yoma666]

That's true in 2008 you can actually buy banks themselves in bulk. Gotta love the credit crunch.

Re:So what

[SBrach]

Someone did this. There was a /. story. I am too lazy to look it up.

Re:So what

[repvik]

Uh, common with non-PIN cards?! Which Norway have you been in? I've grown up here, and have yet to see a debit card (like Maestro) which does not require a PIN to work.

Re:So what

[repvik]

So, create a fake legal entity. Bingo?

I've this big box of gold bars, see...

[sabt-pestnu]

and here's this one gold bar, I'm sure you can tell that it's real gold. Yessiree, real gold. That whole box in the truck. But of course, all you can check is the one bar.

These are, after all, criminals that you are talking about. Who is to say that they were not also con artists?

However, if you assume that even half the account IDs on the disk were valid, that's still in the neighborhood of 2% of all German accounts (if the 21 mil = 3/4 number holds true).

Re:So what

[oneTheory]

Why don't people seem to like the Soviet Russia thing that much anymore? I think it's hilarious every time even though I'm not really sure why.

Re:So what

[Cowmonaut]

So its like Superman 3 but with PayPal?

Re:So what

[RedWizzard]

Um. Yes it is. I can go to any branch of my local bank any time, tell them my name and account number and withdraw up to EUR 5000,-- with just a signature.

But the onus is on the bank to ensure the signature is legitimate. If the owner of the account contests the withdrawal and the bank can't show an accurate signature then the bank will have to refund the withdrawal. So the account owner is protected. For the banks protection they tend to have security cameras so the criminal is taking a significant risk in trying to physically withdraw money.

Re:So what

[LordVader717]

You certain about that? Cause that's what this guy in the UK thought.

On a CD Rom ?

[bruceslog]

Those thieves should be super rich by now.
Selling a CD Rom to a news crew was just the beginning, I bet.
They are probably selling the other 120 copies they'd made of that CD Rom to other people/groups in other countries all this past week.

These are thieves. after all_

Re:So what

[aetherworld]

Um. Yes it is. I can go to any branch of my local bank any time, tell them my name and account number and withdraw up to EUR 5000,-- with just a signature.

But the onus is on the bank to ensure the signature is legitimate. If the owner of the account contests the withdrawal and the bank can't show an accurate signature then the bank will have to refund the withdrawal. So the account owner is protected.

... which has nothing to do with me being 5000 Euro richer :)

Re:So what

[RedWizzard]

But the onus is on the bank to ensure the signature is legitimate. If the owner of the account contests the withdrawal and the bank can't show an accurate signature then the bank will have to refund the withdrawal. So the account owner is protected.

... which has nothing to do with me being 5000 Euro richer :)

Right, but since the banks screwed up in the first place I'm not too bothered if they foot the bill.

Disagree - look at deployment

[cheros]

What is sheer idiocy is storing them in a central database like the US and UK do - I agree with you 100%.

That is one single point of failure: change the record and you are indeed screwed. However, have them as means to access a local resource (like a biometric card that holds the prints as a has ON THE CARD ITSELF and doesn't send them onwards) is a good idea.

There's also the use of biometrics. For identification it sucks, because of the granularity you WILL get eventually identical results (as an example, if I use hair color as metric I will start to get repeats after I've done about 5 people - and here too I have some people that do not register at all because they're bald). This is also why big databases are simply useless. It's as useful as assuming that everyone called George Bush is/was a president..

However, for authentication it works as you need a much lower granularity to guarantee exclusivity. All I need to confirm is that for a given situation there is a high probability that I have indeed the right physical person. That works, because I pair that with a username or account.

And here endeth today's lesson. Sorry if it was a bit lecturish, but the distinctions above are critical to evaluate the use of biometrics in context. Whoever wants to store biometrics in a big database needs to explain to me first why he thinks treating me as a criminal in advance of a crime is acceptable. And that's the same question YOU should ask - as that precedes all this "if you don't have anything to hide you won't mind" nonsense that is spouted so often as an argument why it might be acceptable. It isn't.

Re:So what

[ModernGeek]

I wonder if that is where they get the money to verify American accounts!